Providing ‘Defence in Depth’ for Smart Grid SCADA Systems with Intrusion Detection

SPARKS recently released a document investigating the definition of an intrusion detection system (IDS) that can contribute to securing smart grid Supervisory Control and Data Acquisition (SCADA) SCADA networks. Our main aim is to apply an IDS solution to a solar generation scenario, which focuses on IP-networked photovoltaic inverter devices. This scenario was the focus of our 2nd Stakeholder Workshop. There is no single action that results in an intrusion, and no single tool or mitigation that can completely protect a SCADA network. In our document, we presented the diagram below to illustrate how the skills and knowledge of an adversary can vary, and how we can respond in terms of defence. Indeed, the basis of our intrusion detection strategy holds true for a wide range of scenarios beyond smart grid networks.

An overview of the different aspects of SCADA network intrusion detection carried out in the SPARKS project: different techniques can be applied — whitelisting, stateful analysus or anomaly detection — depending on the sophistication of the attacker and the presence of prior knowledge about the attack. In this way, we provide ‘defence in depth’ in order to mitigate a range of threat scenarios.

On the left of the diagram we consider how the skills of an adversary can range from the ability to produce simple attacks, often carried out using freely available tools that provide an easy automated process, to very sophisticated actions that require expert domain knowledge about the devices, protocols and configuration of the underlying smart grid system. (See our earlier blog entries on the Dragonfly attack and the attacks to a German steel mill for examples of the latter.) The bottom of the diagram similarly illustrates the spectrum of attacks that may be encountered, which span from well documented vulnerabilities, for which detection signatures exist, to exploits of unknown vulnerabilities (zero days) about which we have no prior information.

Defence in depth‘ is a well-established model towards ensuring the security of a system. In our document, we identify how a layered approach of three defensive measures can contribute towards tackling a spectrum of threats against smart grid SCADA networks. Whitelisting is a signature-based approach that can be used to allow only communications prescribed as valid within a given system, thus preventing simple attacks such as port scanning and illegal connections. Such an approach constitutes basic ‘cyber hygiene’ to thwart activities aimed at probing target systems, or attempting basic exploits. Whitelisting normally operates on a packet-by-packet basis. A second layer of stateful analysis can be used to continuously monitor network communications at a flow level, to monitor events based on tracking the status of the connected physical devices to identify any deviations from pre-constructed profiles.

However, the most sophisticated attacks can be designed to ultimately appear ‘normal’ in order to avoid violating constructed profiles. In the next phase of our research in developing a SCADA IDS we aim to address these challenging types of attack by exploring synergies with other SPARKS activities that focus on control system resilience and security analytics. Our aim is to combine our expertise in these domains to develop an intrusion detection capability to provide a third ‘anomaly detection’ defensive layer. We have reached a truly exciting phase of the project and we are excited to see where our collective efforts can take us.